Amazon will enable S3 Block Public Access and disable access control lists for all new buckets by default.

2022.12.14

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

You might be wondering, Isn't is already default setting? Yes, It is default setting but with a catch...

Amazon just posted an advanced notice for an S3 update to automatically enable Block Public Access and disable S3 Access control Lists, this update will start rolling out to all the AWS regions including GovCloud Regions in April 2023, These two settings are already default settings when creating a bucket using the Amazon Management Console but that's not the case when S3 bucket is created using AWS CLI, APIs, SDKs, or AWS CloudFormation.

Currently the default settings allows only the bucket owner to access the bucket unless onwer wants to grant access to other users. but to increase the security of S3 buckets AWS added Block Public Access and option to disable ACLs to promote using IAM policies, which became the best practice for majority of users.

What will happen to the existing buckets?

The existing buckets configuration will remain the same, the new update will only be applicable to the buckets created after this update is rolled out in April 2023.

Do you need to be prepared for it?

The vast majority of S3 use cases do not necessitate public access or ACLs. For the vast majority of customers, no action is required. If you have use cases that necessitate public bucket access or the use of ACLs, you can disable Block Public Access or enable ACLs after creating an S3 bucket. You may need to update automation scripts, AWS CloudFormation templates, or other infrastructure configuration tools to configure these settings.

What's Changing

S3 Block Public Access - For newly created buckets, all four bucket-level settings described in this post will be enabled:

BPA was previously enabled by default when creating an S3 bucket from the management console, so you might not even have been aware of it. It had to be explicitly enabled when building with SDKs like the AWS CLI or Boto3, though. This distinction is gone thanks to today's announcement, which makes BPA available by default regardless of how you create your S3 bucket.

Along with that, any attempt to set Bucket Policy or Access Policy that grants public access will issue a 403 Access Denied error. If you still need public access for a new bucket for your use case, you can create it normally and then delete the public access block with DeletePublicAccessBlock (you will need s3:PutBucketPublicAccessBlock permission in order to call this function; read Block Public Access to learn more about the functions and the permissions).

ACLs Disabled - For newly created buckets, the Bucket owner-enforced setting will be enabled, rendering bucket ACLs and object ACLs ineffective and ensuring that the bucket owner is the object owner regardless of who uploads the object. To enable ACLs for a bucket, set the ObjectOwnership parameter to ObjectWriter in your CreateBucket request, or call DeleteBucketOwnershipControls after the bucket is created. To use the parameter or call the function, you must have the s3:PutBucketOwnershipControls permission; for more information, see Controlling Ownership of Objects and Creating a Bucket.

Which Regions?

During the month of April 2023, the new default settings will gradually be rolled out across all AWS Regions, including the AWS GovCloud (US) Regions and the AWS China Regions.

Conclusion

Since the majority of the use cases don't require Public Access or ACLs, and these are among the best practices for the majority of AWS users, it only makes sense to have this update, it will hence improve the security of S3 buckets.

Reference